Cork hospital ordered to furnish documents to patient who is suing it over ransomware attack

The plaintiff in the case is seeking various orders and damages arising from what his solicitor Micheal O’Dowd called “failures in security and organisational measures” at the hospital.

This, they allege, resulted in third parties “processing and disseminating the plaintiff’s personal data and sensitive personal data”. 

On Tuesday, at Cork Circuit Court county registrar Clare O'Shea-O'Neil, said she hoped she had struck a balance between allowing the plaintiff to prosecute their case without being "unduly burdensome on the Mercy Hospital".

She ordered that the plaintiff's barrister be given access to documents which involve the plaintiff's personal data which were processed by the defendant, its servants or agents.

Ms O'Shea-O'Neill said the plaintiff in the case was entitled to know what data pertaining to him is held by the defendant. The hospital has 585 documents in the name of the plaintiff. However, some relate to other persons who share his name.

The county registrar said they should be able to narrow the search down by checking the dates of birth of addresses to make sure they pertain to the plaintiff.

She also ordered that the plaintiff's barrister be given access to documents which relate to the record of any processing activities and data protection impact assessments carried out by Mercy University Hospital from the commencement of the Data Protection Act 2018 to date.

She also ordered that the hospital give the plaintiff documentation which concerns the hospital's registration with the Data Protection Commissioner. She said this documentation should be sufficient to prove the defendant (the hospital) is the data controller or joint data controller.

Ms O'Shea-O'Neill also ordered that documents be disclosed which concern the technical and organisational security measures implemented, or recommended to be implemented, by Mercy University Hospital for the processing of patient personal data as relates to to the plaintiff for five years prior to May 14, 2021.

She said if there was no such audit or in this time period, then the hospital should provide the most recent audit or report available.

"Such reviews are likely to be infrequent and therefore not voluminous. If they are voluminous they would likely support the assertion of the defendants that they had appropriate measures in places.

"If they are absent it would likely support the plaintiff's case that at a minimum the defendants' system were outdated."

Ms O'Shea-O'Neill said the defendant had put the plaintiff on proof that the this resulted in a personal data breach.

She said the plaintiff was uncertain as to what personal data of his was secured by third parties. She indicated the plaintiff was "entitled to know" what data pertaining to him held by the hospital was obtained by third parties.

Ms O'Shea-O'Neill refused to order the disclosing of certain sub categories of documentation on the basis they had been sufficiently covered in other areas. The country registrar allocated a period of two months to swear the affidavit of discovery.

Meanwhile, on Monday at the Circuit Court, barrister for the plaintiff Matthew Maguire said Mercy University Hospital had only wanted to furnish “gold standard window dressing” policy documents. But he indicated these gold standard policies were in all likelihood “what they should have done” rather than the reality of what occurred.

He added the defendant was putting his client in a position that he even had prove he was a patient at the hospital and that the ransomware attack occurred.

However, barrister for Mercy University Hospital Hannah Cahill BL argued it would be “extremely onerous” to search for all the documents requested by the plaintiff. 

She requested that proportionality be applied in the case. otherwise it would be “far too costly and burdensome on a public hospital”. 

“The plaintiff has not established the necessity of documents sought beyond what has been offered by the defendant. If the order is quite broad, it will be difficult to comply.” 

She said the defending hospital “had not put its head in the sand” and was offering the relevant documentation to the plaintiff.

“Anything beyond what is set out in our reply affidavit would be disproportionate.” On Monday afternoon, the County Registrar Clare O'Shea-O'Neill retired to make her decision in relation to the matter.

Prior to retiring she said Ms Cahill had made a “good argument on proportionality.” However, she said the hospital had caused itself problems by not going down the route of employing “a more nuanced defence".

“The dogs on the street seem to know X, Y and Z. Putting the plaintiff on proof that there was a ransomware attack is over reaching.” 

The case relates to the May 14, 2021, ransomeware attack on the HSE which caused all of IT systems countrywide to be shut down. It stands as the most significant cybercrime attack on an Irish State agency. Data stolen in the attack later appeared on the dark web.